DE69827405T2 - SYSTEM AND METHOD FOR A MULTIPURPOSE CHIP CARD THAT ENABLES SUBSEQUENT STORAGE OF AN APPLICATION TO THIS CARD - Google Patents

Abstract

A system and method allow card issuers to securely add applications during the lifetime of the card after the card has already been issued (post issuance). Loading of an application and/or objects from an application server via a card acceptance device (and its supporting system infrastructure delivery mechanism) onto a card post issuance is performed in a secure and confidential manner. A smart card includes a card domain application that manages the card. Any number of security domain applications on the card provide security for loaded applications by managing keys; each application is associated with a security domain. Each of the card domain and security domains has a command interface for off-card communication, and an API for internal card use. The card life cycle includes the states of masked, initialized, load secured and blocked. An application life cycle includes the states of not available, loaded, installed, registered, personalized, activated and blocked. An application can block the card.

Description

AREA OF INVENTION

These The invention relates to smart cards. In particular, refers This invention relates to a system and method for providing a multipurpose chip card, which is a subsequent storage of an application on this map allows.

BACKGROUND THE INVENTION

A Chip card is typically a credit card sized plastic card that contains a semiconductor chip, which supports many applications Can hold data.

Technically is similar to a chip card or smart card, hereinafter referred to as Chip card, a conventional "credit card", in which one or a plurality of semiconductor devices on an embedded in the card Module are attached, which provides contacts to the outside. The map Can be used with a pay machine, an ATM or an in a phone integrated card reader, a computer, a vending machine or any other devices.

A Microcontroller semiconductor device embedded in a "processor" chip card is, the card allows the execution a number of computing steps, protected storage, encryption and decisions. Such a microcontroller normally includes a microprocessor, memory and other functional hardware elements. Different types of cards are in "The Advanced Card Report: Smart Card Primer ", Kenneth R. Ayer and Joseph F. Schuler, The Schuler Con sultancy, 1993, described.

The 1 shows an example of a smart card constructed as a processor card. Of course, a chip card can be varied. The smart card may be programmed with various types of functionality including applications such as stored value; Credit / debit, Loyalty programs, etc.

In some embodiments, a smart card 5 a built-in microcontroller 10 on top of that, a microprocessor 12 , a random access memory (RAM) 14 , a read-only memory (ROM) 16 , a non-volatile memory 18 , an encryption module 22 and a card reader interface 24 includes. Other features of the microcontroller may be present, but are not shown, such as a clock, a random number generator, an interrupt controller, a control logic, a charge pump, power supply terminals and interface terminals that allow the card to communicate with the outside world.

The microprocessor 12 is any suitable central processing unit (CPU) for executing instructions and controlling the device. The RAM 14 serves as a memory for calculated results and as a stack. The ROM 16 stores the operating system, fixed data, standard routines and lookup tables. The non-volatile memory 18 (such as an EPROM or EEPROM) serves to store information which should not be lost when the card is disconnected from a power source, but which must also be changeable, for data specific to individual cards or any over the life of the cards to include possible changes. This information may include a card identification number, a personal identification number, authorization levels, account balances, credit limits, etc. The encryption module 22 is an optional hardware module used to execute a variety of encryption algorithms. The card reader interface 24 includes the software and hardware necessary to communicate with the outside world. A large variety of interfaces is possible. By way of example, the interface 24 provide a contact interface, a close coupled interface, a remotely coupled interface, or a variety of other interfaces. With a contact interface, signals from the microcontroller are routed to a number of metal contacts on the outside of the card which come into physical contact with similar contacts of a card reader device.

Various mechanical and electrical characteristics of a chip card 5 and aspects of their interaction with a card reader device are defined by the following specifications.
Visa Integrated Circuit Card Specification, (Visa International Service Association 1996).
EMV Integrated Circuit Card Specification for Payment Systems, (Visa International Service Association 1996).
EMV Integrated Circuit Card Terminal Specification for Payment Systems, (Visa International Service Association 1996).
EMV Integrated Circuit Card Application Specification for Payment Systems, (Visa International Service Association 1996).
International Standard: Identification Cards - Integrated Circuits) Cards with Contacts, Parts 1-6 (International Standards Organization 1987-1995).

Prior to issuing a smart card to a card user, the smart card is initialized to store some data in the card. For example, the smart card may fail during initialization at least one application, such as a credit value or a value of existing cash, an initialized file structure, and some initial encryption keys for transport security. Once a card is initialized, it is usually personalized. During personalization, the smart card is loaded with data that uniquely identifies the card. For example, the personalization data may include a maximum value of the card, a personal identification number (PIN), the currency in which the card is valid, the expiration date of the card, and encryption keys for the card.

It is a limitation conventional smart cards, that new applications do not normally output to one Chip card to be added can. Chip cards are conventionally issued with one or more predefined applications that while of the manufacturing process of the card were installed. As a result, will the chip card in the conventional Chip card construction after issuing to a card user to one Card with fixed applications. If a new application is desired, so the chip card is usually thrown away and a new chip card, which includes the new application is output.

It is desired specify a smart card that allows the loading of applications, after the card has been issued. It is also desirable to have one Specify mechanism to load an application as well as the general management of the applications on the chip card. In addition is it wanted to allow an application provider to provide encryption keys to keep the issuer of the chip card secret and to allow it safely that applications of different units work together on one card can exist.

The DE-A-196 07 363 discloses a multi-purpose chip card. After the card is outputted, the data existing on the card becomes corresponding a map setup routine updates the data the chip card to modify, such as a validity date. This allows an update of the chip card, but not the loading applications on the map. US-A-5 530 232 discloses a similar one Arrangement.

SUMMARY THE INVENTION

embodiments of this invention teach a system and method whereby card issuers while can add to the operating time of the card applications after the card is issued was (hereinafter referred to as subsequent storage or later Store). Saving or loading an application after the card was issued to the cardholder, is here as a "safer Installation process ".

The System and method according to the embodiments of this invention allow the subsequent Storage of an application and / or objects of an application server via a Card receiving device and its supporting system infrastructure feeding mechanism in a secure and confidential way on a map.

A embodiment This invention provides a system and method of control of at least one related to a issued chip card standing function ready. Managed in a multi-purpose chip card a privileged application, referred to here as a map domain, is many Functions relating to the chip card. Examples of these functions include card initialization, global map data, the operating cycle of the Card and secure installation of smart card applications.

One Method according to one embodiment of this Invention for providing a first application on a dispensed Smart Card includes the steps of transmitting the first application the issued chip card; and loading the first application the issued chip card, whereby loading the first application managed by a second application.

According to one Another aspect of the invention is a system according to one embodiment of this invention for controlling at least one output Chip card related function revealed. The system includes a first application associated with the issued smart card is related; and a second application that issued with the Chip card is related, the second application with the first application communicates and at least one communicates with the first one Application-related function manages.

Further, an embodiment of this invention provides a system and method for providing confidential information to an application on a smart card. In a general purpose smart card, a privileged application, referred to herein as a security domain, is used as a trusted proxy of an application provider. This security domain may include encryption keys which may be kept secret from the smart card issuer, thereby separating encryption security between the issuer and the application provider. When a new application is stored (loaded) on a smart card, the newly stored application can use the encryption service of the associated security domain. A privileged application representing the publisher, referred to herein as a map domain, may acknowledge commands, such as initialization and personalization commands, by invoking the security domain encryption service. In this way, a subsequent storage of an application can be performed on the issued chip card.

One Method according to one embodiment of this Invention for providing confidential information to an application in a chip card is specified. The method comprises the steps providing a first application in the smart card, wherein the first application comprises an encryption service; of Storing a second application on the smart card; and installing the second application, where the encryption service of the first Application is used to install the second application.

According to one Another aspect of the invention is a system accordingly an embodiment of this invention for providing confidential information to an application specified in a chip card. The system includes a first application, which is in connection with the issued chip card, wherein the first application comprises an encryption service; and a second application related to the issued Smart card is available, the second application with the first application communicates and the encryption service included in the first application for at least uses a function related to the second application becomes.

According to one more Another aspect of the invention is a method according to one embodiment of this invention for providing a smart card with an application specified. The method comprises the steps of outputting a smart card; loading a first application onto the issued smart card; and initializing the first application.

SUMMARY THE DRAWINGS

1 Figure 12 shows a block diagram of a smart card system suitable for implementing this invention.

2 shows an example of a block diagram of software layers that may be used in a smart card.

3A - 3B 10 show block diagrams of examples of software layers according to embodiments of this invention.

4 FIG. 12 shows a flowchart of an example of a method according to an embodiment of this invention for installing an application on an issued smart card using a card domain.

5 FIG. 12 shows a flow diagram of a method according to one embodiment of this invention for providing sensitive information to an application in a smart card using security domains.

6 FIG. 12 shows a flowchart of an example of a method according to an embodiment of this invention for installing an application on an issued smart card using a card domain.

7A FIG. 12 is a flowchart showing a sequence of operation times of a card. FIG.

7B shows a flowchart of a sequence of Betriebsdau conditions of a map.

8th shows a representation of an example of an operating cycle of a card.

9 FIG. 12 shows a flowchart of an example of a method according to an embodiment of this invention for locking a card using a map domain. FIG.

10 Figure 12 is a block diagram illustrating interactions between a card domain and a security domain on a smart card according to an embodiment of this invention.

11A and 11B Figure 12 shows flowcharts of an example of a method according to an embodiment of this invention for loading an application using a security domain after the smart card has been issued.

12A - 12B Figure 12 shows flowcharts of an example of a method according to an alternative embodiment of this invention for storing an application using a security domain after the smart card has been issued.

13 shows a block diagram illustrating an example of a key management and key dependencies for the subsequent storage of applications on the smart card.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The The following description is given to a person skilled in the art To enable area to carry out the invention and to use, and is in the context of a patent application and their requirements. To the professionals in the field are various modifications of the preferred embodiments can be seen and the general principles given here can with other embodiments be used. This means, It is not intended that this invention be limited to the embodiments shown is limited, but that they are on with the ones described here Principles and characteristics consistent widest scope is.

2 shows a block diagram of an example of software layers that can be used in a smart card. In the 2 shown chip card includes an operating system 200 , an application programming interface (API) 204 the map and applications 206A - 206B , The operating system 200 may include functionality to control the cards, memory management, input / output (I / O), and encryption features. The map API 204 uses the commands of the operating system 200 and write these commands into blocks that can be reused for common routines in many applications. The applications 206A and 206B can via commands from the API 204 be executed on the chip card. These applications may include any application that can be executed on a smart card, such as a stored value, credit, debit, pass, and loyalty.

A embodiment This invention is based on the Java Map Standard. In this case will be Applications referred to as 'applets' and are written to connect to a Java Map API which are based on the Java Map standard Smart Card is available application programming interface.

Although that in 2 The conventional software system shown allows many applications, it does not solve the problem of how an application can be safely stored after the issue of the smart card to a user. If an application is to be stored after being issued, ie subsequently, a mechanism is needed to manage the storage of an application as well as for the general administration of the applications on the chip card. In addition, an application provider may desire to keep the encryption keys secret from the publisher of the smart card. Accordingly, a mechanism is required to perform the separation of confidential information between an application provider and a publisher of a smart card. Embodiments of this invention address such a need.

3A - 3B 12 show block diagrams of the software components of a smart card according to embodiments of this invention. The arrows indicate dependencies between the components. 3A shows an embodiment of a smart card using a card domain, whereas 3B shows an embodiment of a smart card using a security domain and a card domain.

This in 3A Example shown includes an operating system 300 , a map API 304 , Applications 305A - 305C , a map domain 308 and an Open Platform (OP) API 306 , This in 3 shown system allows a secure and managed retrofitting an application on a smart card.

The Open Platform API 306 shares commands in the map domain 308 and the security domains 310A - 310B (in 3B shown). As a result, the OP API allows 306 the formation of commands into sentences, which as in a part of the map domain 308 and the security domains 310A - 310B can be identified.

The applications 305A - 305C can include any application that is supported by a smart card. Examples of these applications include credit, debit, stored value, transfer, and loyalty. It is shown that the applications 305A - 305C Command interfaces include, for example, APDU interfaces 354A - 354C that enable communication with the external environment.

The applications 305A - 305C can use commands from the Map API 304 be executed on the chip card. The map API 304 is implemented using the commands from the card operating system and writes these instructions into blocks which can be reused for common routines by many applications. The professionals in the field can recognize that between the API 304 and the operating system 300 a translation layer or an interpreter can be arranged. An interpreter interprets the various hardware chip instructions from the output-specific operating system 300 in a form, which by the map API 304 can be used.

The map domain 308 can be a "privileged" application that reflects the interests of the smart card issuer. As a "privileged" application, the card domain 308 be configured to perform various functions to manage various aspects of the smart card. For example, the map domain 308 Perform functions such as installing an application on the smart card, installing security domains 310A - 310B (in 3B shown), the personalization and reading of global map data, managing the card's cycle life cycle states (including card locking), performing the revocation of a locked card, conducting an assignment of card applications 305A - 305C to security domains 310A - 310B and running security domain functions for applications 305A - 305C which is not a security domain 310 are assigned.

It is shown that the map domain 308 an API 350 and a command interface, such as an Application Protocol Data Unit (APDU) interface 352 , The APDU interface 352 enables interfacing with the external environment according to, for example, International Standards Organization (ISO) Standard 7816-4, entitled "Identification Cards - Integrated circuit (s) cards with contacts - Part 4, Inter-industry commands for interchange".

For example, the APDU interface 352 during the subsequent installation of an application or while saving global map data. An option of saving and installing an application is executed via a set of appropriate APDU commands, which are provided by the map domain 308 Will be received. The API 350 enables the connection with the internal chip card environment. For example, the API 350 used when the map domain 308 as a default instead of a security domain 310 is used, or when an application requires information, such as the global map data, data on the origin of keys, or information related to the life cycle of the card.

Memory allocations were performed at the time an application is in an install state. An application is also personalized after saving and installing. A personalized application includes specific data related to the card holder and other required data that enable the execution of the application. In addition to managing the installation and personalization of the application, the map domain 308 also manage global map information. Global map information includes information that may be needed by multiple applications to perform their functions, such as the name of the card holder and unique data of the card used in cryptographic application applications. The map domain 308 may be a location for the global map information to avoid multiple storage of the same data.

The map domain 308 It may also manage the operating conditions of the card, which include blocking the card. The smart card usually goes through several states during its service life. The map domain 308 detects what state the card is in during its service life. The map domain 308 can also manage a lock request to lock down essentially all functions of the card. Further details of managing a blocking request by the map domain 308 be related to 6 explained. The map domain 308 may also detect the state of an application during the lifetime of an application. This type of information relating to an application may be used during a revision of a card. The revision can be performed at any time during the life of a card. For example, the revision may be performed after a card has been locked or before a new application is installed to validate the card contents. Although essentially all card functions no longer function when a card is locked, a publisher may be able to request information regarding a state of an application or the duration of operation of the card to the card domain 308 to deliver. In this way, the publisher of a card can still access a profile of the locked card and its applications.

3B shows an embodiment of this invention, which is a security domain 310 and a map domain 308 ' used. This in 3B Example shown includes an operating system 300 ' , a map API 304 ' , Applications 305A ' - 305C ' , Security domains 310A - 310B , a map domain 308 ' and an Open Platform (OP) API 306 ' , This in 3B The system shown also allows secure and managed subsequent storage of an application on a smart card.

The map domain 308 ' can work together with a security domain 310 work. The security domain 310 is a logical construct that can be implemented as an application to security-related functions for the map domain 308 ' and with the security domain 310 to provide related applications. The security domains 310A - 310B can assist in safe subsequent storage of an application on the smart card. The security domains 310A - 310B provide a mechanism that preserves the confidential information of the application provider, such as encryption secret key to the publisher of the smart cards.

On a smart card can many security domains 310 exist, each represented by a unique encryption relationship. A security domain 310 is responsible for managing and exchanging encryption keys and associated encryption procedures that make up the security domain encryption relationship. An application that is subsequently stored on the smart card can be connected to a security domain, preferably with only one security domain. However, many applications can use the same security domain 310 be connected. During the phase in which the chip card has not yet been issued, applications installed can optionally have a security domain 310 connected to using the keys of the security domain 310 to load confidential personalization data to these applications.

The software of the security domain 310 may be installed by the card manufacturer during the manufacture of the card (for example, when the ROM is masked) or added during the stages of initialization or personalization. security domains 310 can be implemented as selectable applications that are isolated from each other and the rest of the system. Is a security domain 310 as an application implemented in a java card, the normal security of the java card can be trusted to isolate the security domain 310 to secure. Additionally or alternatively, other security mechanisms, such as hardware backup, may be implemented through the implementation of the OP API 306 be used. The OP API 306 can use certain security features to isolate the security domain 310 to effect. An example of such a security feature is the use of chip hardware security routines provided by the OP API 306 can be used.

Every security domain 310A - 310B provides a command interface, such as an application protocol data unit (APDU) interface 320A - 320B , for communication from the map, and APIs 322A - 322B ready for communication on the map.

The APDU interface 320A or 320B It consists of personalization commands and is intended to allow the initial storage of security domain keys and to assist in key exchange during the uptime of the security domain, if desired. The APIs 322A - 322B may include a signature verification method and a decryption method associated with the card domain 308 ' shared for subsequent storage of applications. Additionally, applications can use the API interfaces 322A - 322B to decrypt confidential application data. It can be seen that the map domain 308 ' can always work as a security domain and does this as a default as well.

The security domain 310 manages the signature and decryption keys and provides an encryption service using these keys. The security domain 310 develops APDUs for various functions. These functions may include key management functions, such as key storage and update functions. During a secure installation of an application, the security domain may 310 Service for the map domain 308 ' to decrypt an application installation file and verify the signature of an application file. For one with a security domain 310 related application provides the security domain 310 This application provides decryption and signature functions, such as MACing an APDU command to update keys during the personalization phase of a newly installed application. Thereafter, the application may use the updated key to decrypt and verify signatures of subsequent key updates.

The publisher of the smart card can decide if the security domain 310 used for transfers a static key or a session key. A static key is an encryption key that exists in front of the processing APDUs that exists during and after processing the APDUs. A session key is an encryption key that can be generated for a particular transmission and that is normally no longer used for APDU processing after transmission. If a session key is used, then the security domain redirects 310 preferably has its own session key for the processing APDUs.

4 FIG. 12 shows a flow chart of a method of applying an application to a smart card according to an embodiment of this invention. This in 4 Example shown is also when installing a security domain 310 applicable to the chip card. It should be noted that all flowcharts in this application are merely examples. As a result, the illustrated steps This and any other flowchart may occur in different orders and in varying ways to accomplish substantially the same goal.

A chip card is issued (step 400 ) and an application is transmitted to the issued chip card (step 402 ). The transmission of the application can be done by any electronic media that can be connected to a smart card and connected to a suitable network. For example, devices such as an ATM, a telephone with display, or a computer may be used to transfer an application to an issued smart card. The submitted application is then loaded onto the smart card, loading the application from the card domain 308 managed (step 404 ).

5 FIG. 12 shows another flowchart of a method for communicating an application to a issued smart card according to an embodiment of this invention. A smart card is created and provided with a first application, the first application containing an encryption service (step 1002 ). A second application is loaded onto the smart card (step 1004 ). After that, the second application is installed, using the encryption service of the first application to install the second application (step 1006 ).

The 6 FIG. 12 shows another flowchart of an example of a method for communicating an application to a issued smart card according to an embodiment of this invention. This method of submitting an application is also to submitting a security domain 310 applicable to the chip card. In the in 6 As shown, a publisher issues chip cards to customers (step 500 ). It is decided to install a vendor application on the issued chip card (step 502 ). Upon initiation of a dialogue between the publisher and the smart card, a pre-signed copy of the application is transmitted to the smart card (step 504 ). As previously indicated, the dialogue between the publisher and the smart card may be via any electronic device that may be connected to a smart card and connected to a suitable network. The application may be pre-signed with a key equivalent to that already existing on the card, so that each application has a unique signature that can be verified by the card.

The map domain 308 can then follow the steps to load the application. The map domain 308 decrypts the submitted application and verifies the signature of the application (step 508 ). The map domain 308 can decrypt the application using the secret key of the publisher. A suitable encryption method, such as the Data Encryption Standard (DES) or 3DES, may be used to decrypt at least a portion of the application. Those skilled in the art will recognize that a number of encryption techniques may be used to implement embodiments of this invention. For purposes of illustration, symmetric key techniques will be addressed, although asymmetric techniques may be used. A good general reference regarding encryption is Schneier, Applied Cryptography, 2nd Ed. (John Wiley, 1996).

It is then determined whether the signature of the application is valid (step 510 ). If the signature associated with the application is not valid, the application will not be loaded on the card and the process will be terminated (step 520 ). However, if the signature associated with the application is valid, then the application will be installed and available for personalization. During personalization, the application receives personalization data (step 512 ). Personalization data includes data that is unique with respect to the user of the smart card. For example, personalization data in an airline loyalty application may include the preferred location, preferred food, and entitlement for various potential perks of the user of the smart card. The personalization data can also be signed and encrypted.

The application then calls the card domain decryption service 308 for the received personalization data (step 513 ). The map domain 308 then performs a verification of the signature of the received personalization data (step 514 ). Methods of decrypting personalization data and verifying signatures are well known in the art. Finally, the application can be activated (step 518 ).

A new application, the later loaded onto a smart card can be stored in a variety of ways. An example is to save the application in a file. It's another example, a pointer to the application object respectively.

7A FIG. 10 is a flowchart illustrating an example of a card operation period. FIG. The procedure is preferably regarded as irreversible. The first card state is when the chip card mas is coded ( 700 ). While masked state ( 700 ) the chip card receives its operating system, its card identification and preferably at least one application. The masked state ( 700 ) is reached as soon as all necessary components for card initialization are available. An example of when the necessary components are available is when the map domain 308 and the OP API 306 and if the Java Map Environment is enabled, such as a Java Map Virtual Machine and a Java Map API.

After the masked state, the next state is the initialized state ( 702 ). The initialized state is reached after all card activities requiring an initialization key are completed. As part of card initialization must be the application of the map domain 308 installed and registered, if not already done. In addition, one or more security domains can also be installed and registered. These installed domains must then be selected and personalized. An initialization key is a secret key that is normally used by a smart card manufacturer while loading data onto the smart card before it is issued.

The next state is secured loading ( 704 ). The secure load state is reached after a secure install mechanism (reload / save) is set up to load applications during the remaining card uptime.

The last card state is when the card is either expired or locked ( 706 ). The locked state is reached as soon as an authorized smart card application has received a command to block the card.

The card operating time is preferably an irreversible sequence of states of increasing security. The initialized and all subsequent states of the card operating time and their transitions are preferably under the control of the card domain 308 , The map domain 308 Executes and responds to commands that result in a transition of one state of card run time to the next. These instructions are preferably application protocol data unit (APDU) instructions. The map domain 308 is also responsible for installing applications on the card, but preferably has no authority over application life conditions. Each application is preferably responsible for managing the operating states of its own application service life, but it allows the map domain 308 preferably, to have access to their operating conditions for testing.

The Card operating time is designed so that the security level, which is required by the card in each successive state will rise. As stated earlier, the operating time is also set up as a process that run in one direction only It can be used to ensure that it is in good working condition after boarding Assured security features the only option is yourself in the next Condition of operating time to move to a higher security level having. The map domain as system security management of the card performs the current operating condition, enforces the associated safety requirements and controls the State transitions during the Card operating duration.

7B FIG. 10 is a flowchart illustrating an example of an application operation period. FIG. The application does not exist at the beginning ( 750 ). The next state is a loaded state ( 752 ). The application reaches the loaded state after the application has been loaded onto the smart card. The application will then be installed ( 754 ) and registered ( 756 ). If the application is registered, it can then be deleted at any time. The next state is the personalized state in which personalized information is included in the application ( 758 ). Finally, the application can be invalidated or locked ( 760 ).

8th FIG. 12 is an illustration of an example of a map operation time line for a map for many applications. FIG. This timeline begins with a state of the masked ROM 800 and ends with a state in which the card is locked / invalid 802 is. In the state of the masked ROM 800 it is shown that applications A, B, C and D are installed. This example shows that applications A and B are installed in a masking state of the card, applications C and D are installed in an initialization state, and applications E and F are retrofitted.

In this example, Application A may be installed in ROM and throughout the life of the card from the state of the masked ROM 800 up to the status of the locked / invalid card 802 be used. Application B is also in the ROM and is used during a first part of the life of the smart card. The operating time of application B ends in the state 804 , Application C resides in a nonvolatile memory, such as an EEPROM, which is used during the init is loaded. It is shown that the application C in the state 806 expires. Application D is also in the EEPROM and will remain on the locked / invalid card state throughout the life of the card 802 used. The application E is in the state 808 a certain time after the issuing of the chip card installed. Application E is in the EEPROM and will remain in the locked / invalid card state until the end of the card's life 802 used. The application F is also subsequently in the state 810 installs and runs in the state some time before the end of the card operating time 812 from.

9 FIG. 12 shows a flowchart of a method for locking a card according to an embodiment of this invention. A card can be locked if an application detects a security breach. According to one embodiment of this invention, a smart card may be disabled while an application is being used. A locked card stops working, so a suspicious user can no longer use any of the applications on the smart card. A lockout is just one example of the many features that make up the map domain 308 to manage the other applications on the smart card. Examples of other functions include installing an application on the smart card, installing security domains 310A - 310B the personalization and reading of global map data, managing card life conditions including card locking, performing a revocation of a locked card, obtaining an assignment of security application map applications, and running security domain functions for applications; that are not associated with a security domain.

In the in 9 an example is being used (step 600 ). The application encounters a problem that triggers a request to lock the card from the application (step 602 ). The application then sends a request to lock the card to the map domain 308 (Step 604 ). The map domain 308 determines if the request to lock the card is valid (step 606 ). A request to lock the card may be valid if the request is from a particular application. If the request to lock the card is not valid, the card domain locks 308 the chip card is not (step 608 ). However, if the request to lock the card is valid then the card domain authorizes 308 locking the card (step 610 ) and the map domain 308 locks the chip card (step 612 ) so that the smart card rejects any attempted transmissions for all applications on the card.

10 shows a block diagram illustrating the use of the security domain 310 through the map domain 308 represents. The method and system of one embodiment of this invention allows many application providers to be represented on a smart card in a secure and confidential manner. This security and confidentiality can be ensured by the use of in 3 shown security domains 310A - 310B be achieved.

10 shows an example of a smart card, the two security domains 310A - 310B includes. In this example, it is assumed that a masked application 305A the smart card is associated with a security domain, such as the security domain 310A , and an additional application 305B is added later and associated with a second security domain, such as the security domain 310B , The arrows indicate key relationships between the various smart card units as now described. The masked application 305A uses key service from the security domain 310A to decrypt sensitive data and optional for complete personalization. The map domain 308 uses key service from the security domain 310B to decrypt and verify the signature of a subsequently loaded application, such as the subsequently loaded application 305B , The subsequently loaded application 305B uses key service from the security domain 310B to decrypt sensitive data and optional for complete personalization.

11A and 11B FIGURES show further flowcharts of an example of a method of applying an application to a issued smart card according to an embodiment of this invention. The card issuer decides on a security domain 310 on a chip card (step 1100 ). The publisher assigns the security domain 310 to a provider A (step 1102 ). Provider A, or an application developer for vendor A, generates encryption keys, such as those used in symmetric or asymmetric encryption (step 1104 ). Examples of this encryption include encryption, decryption, MACing, hashing, and digital signatures. Examples of encryption methods using such keys and suitable for implementing the embodiment of the method and system of this invention include the Data Encryption Standard (DES) and 3DES. The card personalization agent receives the keys and loads security domain keys that are associated with a particular security domain 310 associated with each chip card ( 1106 ). The card personalization agent receives smart cards and collects other data, OS, code and application and specific data of the card holder, and places the data on the smart card (step 1108 ).

The card issuer then hands the chip card to customers (step 1110 ). It is then decided to install the vendor A application on the smart card (step 1112 ). Upon initiation of a dialogue between the smart card issuer and the smart card, a signed copy of the application is transmitted to the smart card (step 1114 ).

The Application can with a key be signed, the equivalent to the one that already exists on the smart card, so that each one Application has a unique signature that verified by the smart card can be.

The map domain 308 the smart card then takes steps to load the application. The map domain 308 calls the associated security domain encryption service to decrypt the application and verify the signature (step 1118 ). It is then determined whether the signature is valid (step 1120 ). If the signature is not valid, the procedure ends (step 1122 ). However, if the signature is recognized as valid, the application receives personalization data that may be signed and optionally encrypted (step 1124 ). The loaded application then calls the encryption service and the signature verification of its associated security domain for the received personalization data (step 1126 ). The secret keys required to execute or operate the application, present on the smart card, are used to activate the application by authentication (step 1130 ).

12A and 12B FIG. 10 shows flowcharts of a method for delivering sensitive information to an application using a security domain. FIG 310 according to another embodiment of this invention. The publisher decides on a security domain 310 on a chip card (step 1200 ). A trusted party generates secret encryption keys and sends the keys in a secure manner to a card personalization agent (step 1201 ). A trusted party is usually a third party that performs the function of certifying the source of the information, such as a signature. A card personalization agent (which may be identical to the party being trusted) receives the key and loads a unique secure domain key associated with a particular security domain 310 associated with each chip card (step 1202 ).

The card personalization agent receives the smart card and collects other data, OS, code and application and specific data of the card holder, and places the data on the smart card (step 1204 ). The publisher then hands out the chip card to his customers (step 1206 ). It is decided to install the vendor A application on the issued chip card (step 1208 ). Provider A receives secret keys for the security domain 310 from the party that gets trusted (step 1110 ). The provider A then sends the smart card issuer a signed copy of the application of the provider A (step 1212 ).

Upon initiation of a dialogue between the smart card issuer and the smart card, a signed copy of the application is transmitted to the smart card (step 1214 ). The application may be signed with a key equivalent to that already existing on the smart card so that each application has a unique signature that can be verified by the smart card. The map domain 308 calls the security domain encryption service to decrypt the associated application and verify its signature (step 1218 ). It is then determined whether the signature is valid (step 1220 ). If the signature is not valid, the procedure is ended (step 1222 ).

However, if the signature is valid, the application receives personalization data that may be signed and optionally encrypted (step 1224 ). The loaded application then calls the encryption service and signature verification of the security domain for the received personalization data (step 1226 ). The secret encryption data needed to run or operate the application on the card is used to activate the application (step 1230 ).

13 Figure 12 is a block diagram illustrating the use of the encryption keys for reloading an application onto a smart card. Applications that are not masked and are not loaded during the card initialization or personalization state must load their executables using a secure installation method, such as the reload described in the previous figures. The applications can be loaded using the encryption keys of the map domain. The applications are then decrypted and their signature can be obtained using the key service of the corresponding security domain 310 be verified. Consequently, at the desired security domain (s) 310 preferably Encryption and signature key installed before subsequent loading of the corresponding application.

In the in 13 example shown is just a security domain 310 shown as security domains 310 are not relevant to other applications to represent the loading of a single application. It should be noted that the result of the secure installation is initially a loaded application that subsequently needs to be installed, registered, and personalized. After loading, the application is installed, preferably by issuing an installation APDU command to the map domain 308 , An application can be installed if its installation procedure was successful. When an application is in an installed state, memory allocations have occurred. A loaded application should also be registered. When an application is registered, it is selectable and ready to process and respond to APDU commands. The installation and registration can be done simultaneously by the same APDU command. An application will also be personalized after loading. A personalized application includes specific data of the card holder and other required data that allows the execution of the application.

In the in 13 In the example shown, the encryption key and MAC / signature key are shown in the functions of the map domain 308 / Security domain 310 are included. If a security domain is associated with the loaded application, the security domain is invoked. Is not a security domain 310 associated with the application that is loaded, the encryption key and the signature key of the card domain become 308 used. In contrast to the installation commands sent to the chip card during the initialization phase, the subsequent installation command is not delivered in a secure environment, which is why it is preferably secured with an encryption key, such as a MAC / signature key. The map domain 308 manages the subsequent loading of a new application, whereas the security domain 310 ensures the validity and integrity of the new application after the new application is loaded on the smart card. Is not a security domain 310 associated with the newly loaded application, so does the map domain 308 the functions of the security domain 310 out. Once the new application is subsequently loaded, it is preferred to use various keys, such as an encryption key and a signature key, to install and personalize the application.

One Procedure and a system for a chip card domain and a security domain was revealed. Software written according to this invention can be stored in any form of computer readable medium such as a memory or a CD-ROM, or over Network transfer be executed by a processor.

Claims (24)

A method of loading a smart card application onto a smart card after the smart card has been issued to a card holder, the method comprising: - issuing ( 400 ) of the chip card to a card holder, wherein the chip card is a card domain application ( 308 ), which is arranged to manage the post loading of applications; - establishing communication between the smart card and a provider of the smart card application; - Load ( 404 ) of the smart card application to the smart card under control of the card domain application ( 308 ); and - verifying an encryption signature of the smart card application using the card domain application, wherein the smart card application is subsequently loaded onto the smart card in a secure manner. A method according to claim 1, further comprising: - feeding ( 1002 ) an encryption signature key to the card domain application before the smart card application is loaded onto the smart card; - Sign ( 1006 ) the smart card application using the encryption signature before the smart card application is loaded onto the smart card, the encryption signature being calculated using the encryption signature key; Calculating the encryption signature of the smart card application after the smart card application has been loaded onto the smart card, the calculation being performed by the card domain application using the encryption signature key supplied to the card domain application, whereby the item of verification can be executed by the map domain application. A method according to claim 1, further comprising: decrypting the smart card application by the card domain application after the smart card application has been loaded, whereby the smart card application in a secure manner is subsequently loaded on the chip card. A method according to claim 3, further comprising: - Feeding one Encryption encryption key to the map domain application before the smart card application is loaded onto the smart card; - Encrypt the Smart Card Application Using the Encryption Encryption Key Before the smart card application is loaded onto the smart card; and - in which the element of decryption, that from the map domain application accomplished is using the encryption encryption key, the map domain application supplied was, making the smart card application in a secure manner later is loaded on the chip card. A method according to claim 1, further comprising: - Load of personalization data for the smart card application on the smart card under control of the card domain application; and - Check one cryptographic signature personalization data using the map domain application, thereby the personalization data for the smart card application in a secure manner later the smart card will be loaded. A method according to claim 1, wherein the smart card further comprises a security domain application ( 310 ), which is arranged to manage the security of the reloading of applications, and the element of verification is executed by the security domain application. A method according to claim 1, wherein details of Elements of the review of cryptographic signature across from a publisher of the smart card are kept secret. A method of loading a smart card application onto a smart card after the smart card has been issued to a card holder, the method comprising: - issuing the smart card to a card holder, the smart card comprising a card domain application ( 308 ), which is arranged to manage the subsequent loading of applications, and a security domain application ( 310 ), which is arranged to manage the security of retrofitting applications; - Establishing a communication between the smart card and a provider of smart card application; - Loading the smart card application on the smart card; and calling an encryption service of the security domain application to validate the smart card application, whereby the smart card application is subsequently loaded onto the smart card in a secure manner. A method according to claim 8, further comprising: - Feeding one Encryption signature key to the security domain application, before the smart card application is loaded on the chip card; - Signing the smart card application using the encryption signature, before the smart card application is loaded onto the smart card, wherein the encryption signature calculated using the encryption signature key is; - To calculate the encryption signature the smart card application, after the chip card application has been loaded onto the chip card, the calculation being used by the security domain application the encryption signature key is executed, the security domain application supplied was, causing the map domain application is validated. A method according to claim 8, further comprising: - Decrypt the Smart card application through the security domain application after the smart card application which validates the smart card application. A method according to claim 10, further comprising: - Feeding one Encryption encryption key to the security domain application, before the smart card application is loaded onto the smart card; - Encrypt the Smart Card Application Using the Encryption Encryption Key Before the smart card application is loaded onto the smart card; and - in which the element of decryption, that from the security domain application is performed, uses the encryption encryption key, the map domain application supplied has been. A method according to claim 8, further comprising: - Load of personalization data for the smart card application on the chip card; and - Call an encryption service the security domain application, to validate the personalization data, resulting in the personalization data for the Chipcard application in a secure manner later on the smart card will be loaded. A method according to claim 8, wherein details of Elements of calling an encryption service over one Publisher of the chip card to be kept secret. A method according to claim 8, wherein the encryption service an encryption, decryption MAC, hashing or digital signature technology. A smart card arranged to load an application onto the smart card after the smart card has been issued to a card holder comprising smart card: a card domain application ( 308 ) arranged to manage the loading of the application onto the smart card; and a security domain application ( 310 ), which is arranged to manage the security of retrofitting applications, the security domain application comprising: an encryption key associated with the application encryption encryption service to validate the application after the application has been subsequently loaded, wherein the Encryption service uses the encryption key, and - a key management function associated with the encryption key, whereby the application can be subsequently loaded onto the smart card using the security domain application in a secure manner. A smart card according to claim 15, wherein the encryption key is a Encryption key is and wherein the encryption service is a decryption is what causes the security domain application can decrypt the application after the application is loaded on the smart card. A smart card according to claim 15, wherein the encryption key is a signature key is, and where the encryption service computes a digital signature, eliminating the security domains application can verify a signature of the application after the application is loaded on the smart card. A smart card according to claim 15, wherein the key management function loading or updating a key. A smart card according to claim 15, wherein security aspects the security domain application across from the map domain application secret become. A smart card arranged to load a plurality of applications onto the smart card after the smart card has been issued to a card holder comprising smart card: a card domain application ( 308 ) arranged to manage the loading of the applications onto the smart card; A first security domain application ( 310A ) arranged to provide security for a first post-load application comprising the first security domain application: - a first encryption key associated with the first application, the first encryption key facing the card domain and a second security domain application ( 310B ) is kept secret; and - the second security domain application ( 310B ) arranged to provide security for a second application to be subsequently loaded, the second security domain application comprises: a second encryption key associated with the second application, the second encryption key being kept secret from the card domain and the first security domain application whereby the first application and the second application can each be subsequently securely loaded using the first encryption key and the second encryption key. A smart card according to claim 20, wherein the first Encryption key Encryption key or a signature key and wherein the second encryption key is on Encryption key or is a signature key. A smart card according to claim 20, further comprising: - one in the first security domain included encryption service, to validate the first application after the first application later was loaded, with the encryption service uses the first encryption key, the details of the encryption services across from the map domain application and the second security domain application secret become. A smart card according to claim 20, further comprising: - one in the first security domain application includes Key management function. A smart card according to claim 23, wherein the key management function loading or updating a key.